Admin Resource Leak

Medium+100 XPA01:2021 Broken Access ControlCWE-639

BOLAIDORAuthorizationPrivilege Escalation

Scenario

An internal notes service stores both public and admin-only notes. The getAdminNote endpoint accepts a requesting user ID and a note ID.

Notes flagged with adminOnly: true should be restricted to users with the admin role. However, the current implementation returns every note regardless of the adminOnly flag.

Regular users can read sensitive admin notes by simply guessing or enumerating note IDs.

Mixing public and privileged resources in the same endpoint without role checks is a common mistake. It allows regular users to access admin-only data simply by knowing or guessing an ID.

Your Tasks

Fix getAdminNote so that adminOnly notes are only returned when the requesting user has role: 'admin'.
Throw 'Forbidden' when a non-admin user requests an adminOnly note.
Throw 'Not found' when the note or user does not exist.
Return the note object for authorised requests.

Examples

Example 1 — Blocked — regular user accessing admin note

getAdminNote('alice', 'note-secret', notes, users)
// note-secret has adminOnly: true, alice has role: 'user'
// → throws Error('Forbidden')

Example 2 — Allowed — admin accessing admin note

getAdminNote('superadmin', 'note-secret', notes, users)
// superadmin has role: 'admin'
// → returns note object

Constraints

›Only edit the function body — do not change the function signature.
›Throw exactly 'Forbidden' and 'Not found'.
›Non-adminOnly notes must remain accessible to all authenticated users.

Hint

References

CWE-639: Authorization Bypass Through User-Controlled Key OWASP API Security Top 10 — API5:2023 Broken Function Level Authorization OWASP Access Control Cheat Sheet

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run